Oracle Blog

Mark Dixon's quest to explore the world of Identity Management

Tuesday Dec 22, 2009

It is almost Christmas Eve. In the midst of an insomnia episode, I conjured up a crazy notion of making a Christmas wish list of things I want from a Personal Identity-Persona Service (PIPS). Your list may be different, but here’s mine.

Secure Identity Bank Vault for my Identity Profile and Credentials. Of all the potential Identity Providers jostling for prominence in the market, I favor my bank the most. They take pretty good care of my money, enable me to selectively send some of my money to other people, and seem to be sensitive to the issues surrounding security, privacy, liability and potential cyber threats. I think I could trust them to take good care of my online Identity. Think of it as the bank providing a safe deposit box for all the Identity attributes that I want to store and use, and providing the means to selectively take out Identity attributes for presentation to other people. This vault should be located in a secure cloud, so I can get access from any computer or mobile device of my choice. I think this is a concept even my technology-challenged wife, mother and father could readily understand and accept.

Really Easy to use Identity/Profile/Persona Editor. With my Secure Identity Bank Vault in place, I need a really easy to use way to fill that vault with my Identity information and maintain it over time. This will include the information I would normally include provide to an online merchant or social network, as well as subsets of such information that I can define for the purpose of presenting different personae to facilitate different online experiences.

Multiple Levels of Identity Assurance or Validation. I want to make sure that other people can’t impersonate me by setting up a fake Identity Bank Vault for Mark Dixon that could be used to conduct illicit transactions. To do that, methods need to be in place to validate the claims I make about my identity, such as birthplace, social security number, credit card numbers, etc. Progressively rigorous checks of my background information will allow me to confidently present Bronze, Silver, Gold or Platinum Identity credentials to enable different levels of online interaction.

Really Easy to use Persona Selector. I need the ability to easily select from a set of personae I have defined in the Identity Bank Vault. For example, I will most likely have one persona to use for online shopping, one for interaction with state government, and another for using my church website. This selector needs to be immediately accessible, probably in the browser toolbar. For mobile use, the persona selector needs to be easily accessed and presented by any online application that requires me to log in or pay for services.

Multiple Levels of Secure Authentication. I want to make sure that no one can access and use my Identity Bank Vault or persona and credentials it contains without my explicit permission. In some cases, I may want to simply surf the web and virtually window shop by identifying myself with a user name and password. However, I would like to restrict access to any financial transactions or health care record access by requiring a digital certificate (probably on a USB fob) and perhaps with a fingerprint check (perhaps via that same USB device).

Option to Use Separate Personae for Login and Payment. In some cases, I may want to use an Internet Persona to poke around the web, do some window shopping and try things out. I may want to log in to Amazon, eBay, Barnes and Noble or other merchants before I decide to buy. None of these merchants needs to know my credit card information before I decide to buy something. Therefore, I need an easy method for first identifying myself and subsequently presenting my payment method.

Audit Reports. I would like to get an online “Identity bank statement” each month or on demand, detailing the my use of PIPS service. This would allow me to verify that all uses were legitimate and would help me determine if adjustments were needed in my profile or use of the service.

Fraud Insurance. If a privacy breach or other unauthrorized use of my Identity or credentials occur through no fault of my own, I would like to be insured against possible damages. This would be similar to the fraud protection currently provided by credit card companies.

Of course, in order for a PIPS service to be worth much, social Networks, online merchants, government agencies and other relying parties will need to accept my PIPS profile and credentials. But wouldn’t it be great if I could maintain one set of Identity and Profile information and have that available for consumption by any merchant or social network, according to my wishes? I would be willing to pay a yearly fee for such a service, much like I pay certain bank fees now. Or, perhaps those fees would be waived if I maintained a certain account balance or averaged a certain transaction volume on a credit card issued by the bank.

Will something like this happen? I think so. Probably not in 2010. By 2015? I certainly hope so.

Thursday Dec 10, 2009

Last week I had a stimulating conversation with Jim Kinchley and Chris Madsen, executives of Trufina, a “provider of online identity verification and identity management services, enabling individuals to verify their identity attributes online, and providing the identity management tools for sharing that verified identity information with individuals and websites across the Internet.”

In October, I posted an article entitled Identity Trend 4: Identity Assurance, one of a series of posts about important trends in the Identity Management industry. In that post I proposed, “With the continual expansion of online fraud and other threats to online security and privacy, the need for Identity Assurance methods are rising. Being able to certify the that the correct Identity credentials are issue to the correct user before access is attempted is an increasingly critical issue.”

A few days after I authored that post, I became aware of Trufina, signed up for an account, paid a small fee, and had my Identity verified through a series of online questions drawn from publicly available information about me that presumably only I would know. As evidence of that successful vetting process, I posted a Trufina badge on this blog (see right column). This badge visually represents that my identity had been verified by Trufina, and provides a way that blog visitors could request a Trufina ID Card with details I elect to share. Do you want to see how it works? Please click on the Trufina badge or click here, enter your email address, and I’ll send you a link to see my Trufina-verified Identity Card.

Trufina provides a public API to allow websites to take advantage of Trufina identity validation services. For example, the Naymz online Professional Reputation Network allows members to link their Trufina Verified ID to the Naymz profile. In such a case, the Trufina Verified ID badge is shown on the Naymz member profile. I don’t use the Naymz network as extensively as LinkedIn or Facebook, but neither of those more popular social networks have validated my Identity as well as Naymz has done, thanks to the Trufina process.

I look forward to seeing how Trufina progresses in the marketplace. We really need a critical mass of easily accessible, yet secure, Identity validation services to increase the level of trust and confidence in online relationships.

This little exercise, where I wasn’t really THE Harry Truman, illustrates the need for Identity Assurance to validate whether my identity credentials really represents who I really am. Identity Assurance can be described as “a means to allow Identity Providers (IdPs), Relying Parties (RPs) and subscribers to determine the degree of certainty that the identity of an entity presenting an electronic identity credential is truly represented by the presented credential.”

With the continual expansion of online fraud and other threats to online security and privacy, the need for Identity Assurance methods are rising. Being able to certify the that the correct Identity credentials are issue to the correct user before access is attempted is an increasingly critical issue.

By comparing the assurance level against the potential impact of authentication errors, we get a clear picture of how the wide spectrum of online access transactions require substantially different levels of Identity assurance.

My impersonating the late Harry Truman requires minimal assurance because the potential impact for the transactions I conducted is minor. However, at the other end of the spectrum, identity credentials used to conduct high value financial transactions protected by civil or criminal statute are probably worthy of far more stringent Identity Assurance screening.

So, who is responsible to issue high level credentials? Should it be the government, who is responsible for issuing validated credentials like birth certificates, passports and drivers licenses? Should it be private enterprise? It depends on the two factors illustrated above: Assurance Level and Potential Impact.

Recommendations:

Consider these questions for your specific cases:

What level of assurance do you require to match the risk (potential impact) to the cost and complexity of issuing identity credentials?

What different levels may be appropriate for different applications or systems for which you are responsible?

What sources of validation are appropriate to assure that the identity credentials you issue are valid?

What should the role of government or private enterprise have in Identity assurance?

By the way, I still think Harry and Bess look good together. What do you think?

About

Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.